Surely this type of question must have been asked before. Someone from McAfee must know this.
FIPS configuration is done as part of the initial install, and can't be changed after the fact. If you try and do so the installer won't allow you to and will exit with a "this server cannot be converted to FIPS mode" message.
However I've spoken to my EEPC colleagues, and according to them it is possible to have the clients in FIPS mode without necessarily having the ePO server in FIPS mode as well. I'm trying to find out more information surrounding this.
However, if you require a fully-compliant FIPS environment, both the clients and ePO installation will need to be in FIPS mode.
When we first installed ePO, about 3 years ago, we had no idea that in the future we would need to be FIPS enabled - our crystal ball mustn't have been working that day
Due to this oversight by McAfee we will now to build an new server and install ePO from scratch, import of the software, clients, policies etc etc. This is very poor form by McAfee causing this excessive work.
Thanks again Joe.
It's a little unfair to call it an "oversight" - my understanding is that it's more to do with the very strict rules surrounding FIPS compliance and validation. It's not possible to upgrade some of the core components that support legacy environments without breaking things, but it's also not possible to achieve FIPS compliance without upgrading those components - hence the installer doesn't allow this.
Whether or not this can be changed in future versions, I don't know. Presumably once things have evolved to a point where the weakest point in an ePO environment still meets FIPS specifications it will be possible to change FIPS modes without risk, but that's just speculation on my part.
Perhaps "oversight" is the wrong word, my apologies. My point is that McAfee have taken the effort to obtain FIPS certification, to which I am greatful, but not provided a mechanism to easily enable it.
I wholly understand that that the reason for the apparent inabililty to perform an inplace upgrade is due the rules regarding FIPS compliance and this has nothing to do with McAfee. However, before McAfee went for accreditation perhaps they should have been envisaged that some of their current ePO customers would be taking advantaging of the feature and created a specific guide on how to migrate from non-FIPS to FIPS.
Up until now I have found that McAfee always provides excellent documentation and I am very surprised that there seems to be very little information on the McAfee Kbase regarding FIPS in general, let alone migrating from one environment to another, hence my reason to resorting the community.
Thanks again for the feedback.
Just to close this thread.
McAfee have officially stated that in order for full FIPS compliance the ePO server and EEPC client must be installed in FIPS mode enabled. Therefore, if the ePO server was not originally installed with FIPS enabled a new ePO server must be built the setup.exe ENABLEFIPSMODE=1 command.